#50: Upgraded hadoop-client dependency to fix CVE (#61)

Fixes #50

doc/changes/changes_1.3.3.md

@@ -4,7 +4,7 @@ Code name: Fix vulnerabilities in dependencies
 
 ## Summary
 
-This release fixes [sonatype-2022-5401](https://ossindex.sonatype.org/vulnerability/sonatype-2022-5401) in reload4j.
+This release fixes `sonatype-2022-5401` in reload4j.
 
 ## Features
 

doc/changes/changes_2.0.1.md

@@ -7,7 +7,7 @@ Code name: Update Dependencies
 This release fixes vulnerabilities by updating dependencies:
 
 * `com.fasterxml.woodstox:woodstox-core:jar:5.3.0:compile`: CVE-2022-40152
-* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: [sonatype-2022-6438](https://ossindex.sonatype.org/vulnerability/sonatype-2022-6438)
+* `com.fasterxml.jackson.core:jackson-core:jar:2.12.7:compile`: sonatype-2022-6438
 * `commons-net:commons-net:jar:3.6:compile`: CVE-2021-37533
 
 ## Features

doc/changes/changes_2.0.4.md

@@ -0,0 +1,30 @@
+# Parquet for Java 2.0.4, released 2023-06-28
+
+Code name: Updated dependencies to fix CVE vulnerabilities
+
+## Summary
+
+This release updates `Hadoop` dependency to fix CVE vulnerabilities.
+
+## Security
+
+* #50: Upgraded Hadoop dependency to fix CVE vulnerabilities
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.apache.hadoop:hadoop-client:3.3.5` to `3.3.6`
+* Updated `org.apache.parquet:parquet-hadoop:1.13.0` to `1.13.1`
+* Updated `org.scala-lang:scala-library:2.13.10` to `2.13.11`
+* Added `org.xerial.snappy:snappy-java:1.1.10.1`
+
+### Test Dependency Updates
+
+* Updated `org.junit.jupiter:junit-jupiter:5.9.2` to `5.9.3`
+* Updated `org.mockito:mockito-core:5.3.1` to `5.4.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.3.1` to `5.4.0`
+
+### Plugin Dependency Updates
+
+* Updated `org.itsallcode:openfasttrace-maven-plugin:1.6.1` to `1.6.2`

pom.xml

@@ -3,35 +3,31 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>parquet-io-java</artifactId>
-    <version>2.0.3</version>
+    <version>2.0.4</version>
     <name>Parquet for Java</name>
     <description>This project provides a library that reads Parquet files into Java objects.</description>
     <url>https://github.com/exasol/parquet-io-java/</url>
+    <parent>
+        <artifactId>parquet-io-java-generated-parent</artifactId>
+        <groupId>com.exasol</groupId>
+        <version>2.0.4</version>
+        <relativePath>pk_generated_parent.pom</relativePath>
+    </parent>
     <properties>
-        <scala.version>2.13.10</scala.version>
+        <scala.version>2.13.11</scala.version>
         <scala.compat.version>2.13</scala.compat.version>
-        <mockito.version>5.3.1</mockito.version>
+        <mockito.version>5.4.0</mockito.version>
     </properties>
-    <distributionManagement>
-        <snapshotRepository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-        </snapshotRepository>
-        <repository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-        </repository>
-    </distributionManagement>
     <dependencies>
         <dependency>
             <groupId>org.apache.parquet</groupId>
             <artifactId>parquet-hadoop</artifactId>
-            <version>1.13.0</version>
+            <version>1.13.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-client</artifactId>
-            <version>3.3.5</version>
+            <version>3.3.6</version>
             <!-- Excluding transitive dependencies with vulnerabilities. -->
             <exclusions>
                 <exclusion>
@@ -101,6 +97,11 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>org.xerial.snappy</groupId>
+            <artifactId>snappy-java</artifactId>
+            <version>1.1.10.1</version>
+        </dependency>
         <dependency>
             <groupId>org.scala-lang</groupId>
             <artifactId>scala-library</artifactId>
@@ -115,7 +116,7 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>5.9.2</version>
+            <version>5.9.3</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -217,7 +218,7 @@
             <plugin>
                 <groupId>org.itsallcode</groupId>
                 <artifactId>openfasttrace-maven-plugin</artifactId>
-                <version>1.6.1</version>
+                <version>1.6.2</version>
                 <executions>
                     <execution>
                         <id>trace-requirements</id>
@@ -244,17 +245,6 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.sonatype.ossindex.maven</groupId>
-                <artifactId>ossindex-maven-plugin</artifactId>
-                <configuration>
-                    <excludeVulnerabilityIds>
-                        <!-- org.apache.hadoop:hadoop-hdfs-client:jar:3.3.4: CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (8.6); https://ossindex.sonatype.org/vulnerability/sonatype-2022-5732
-                        No update available -->
-                        <exclude>sonatype-2022-5732</exclude>
-                    </excludeVulnerabilityIds>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.basepom.maven</groupId>
                 <artifactId>duplicate-finder-maven-plugin</artifactId>
@@ -283,10 +273,4 @@
             </plugin>
         </plugins>
     </build>
-    <parent>
-        <artifactId>parquet-io-java-generated-parent</artifactId>
-        <groupId>com.exasol</groupId>
-        <version>2.0.3</version>
-        <relativePath>pk_generated_parent.pom</relativePath>
-    </parent>
 </project>